Android Apps Prone to MitM attacks

Friday, August 22, 2014 @ 04:08 PM gHale

One thousand of the most popular free Android apps from Google Play have a vulnerability that can cause a man-in-the-middle (MitM) attack, researchers said.

These apps have an SSL/TLS vulnerability that an attacker can leverage to his or her advantage, said researchers at FireEye Mobile Security Team. They looked to see how many apps communicate with their servers via secure network protocols, and whether the apps that do have a correct implementation of the Android platform’s SSL libraries.

The researches asked some of the tough questions: “Do they use trust managers that check certificate chains from remote servers? Does the hostname of the server extracted from the CA-issued certificate match the hostname of the server the application intends to connect to? Do the apps ignore SSL errors in WebKit (a component that renders server pages in mobile applications)?”

The results showed of the 1,000 tested apps, 614 applications use SSL/TLS, but 448 (around 73 percent of that 614) do not check certificates, 50 ( around 8 percent) use their own hostname verifiers that do not check hostnames, and of the 285 that use Webkit, 219 (around 77 percent) ignore SSL errors generated in it.

The numbers were a bit different when the researchers analyzed the top 10,000 most popular apps, but nevertheless bad.

“Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality,” the FireEye researchers said.

The team tested their findings by creating proof of concept MitM attacks against several of these popular apps and ad libraries they use, and found some sported SSL vulnerabilities in both. Most of these apps ended up downloaded several hundreds of times.